This blog is dedicated to computer forensic research and topics that I come across that I feel are both beneficial to the forensic community and interesting/useful information to read. This is my own personal opinion and work and does not reflect any entity except for myself unless expressed otherwise.

Wednesday, January 23, 2013

Capstone is finally here.
Almost five years of college later, and it’s all about to end. Time to get cracking on the final project. Ideas were bouncing through my head for quite
some time as I debated about what I wanted to do. I dabbled into the ideas of Siri, Google Chrome
Sync, Samsung Keis, Evernote, and a few other things. Nothing was really grabbing my attention
though and sucking me in. I wanted my
project to be an “all-star” level project with the potential of going to a
conference. Fortunately, my professors
here at Champlain College know some pretty big name people in the industry, and
a very unique and fun project idea was dropped on me. Corey Harrell sparked the idea a few months
ago thinking about virtual desktop environments and it was passed down to me
through my professor Jon Rajewski. I’d
like to give credit to both of them for the project idea, and I can’t wait to
see what information I obtain from it in the long run!

Source: AtlantisComputing.com

Virtual desktop
environments (VDI’s) are quickly becoming more popular as businesses are
attempting to cut costs in different areas while increasing productivity.
Employing a VDI automates many processes that networks currently undertake, and
allows for administration of new machines and machine scalability to
increase. There are many popular clients currently used right now,
including VMWare, Hyper-V, and Citrix. Though the
technology isn't quite as widespread and implemented in many
corporations yet, it is important to realize that it very well could be. It is always better to be proactive
and already have a set idea of what measures need to be implemented and what
data is retrievable ahead of time.

Source: VirtualizationPractice.com

Understanding why this
project is important is relatively important to hit on here as well.
VDI's are definitely the way that networks, regardless of if they're
small or large, are moving. It's much easier for a company to purchase
multiple thin-client $200 computers and have them remotely connect to a
powerful virtual machine than it is for a company to purchase multiple $1,500
machines. Being able to determine, at the very least, a basic
understanding of what we can get as forensicators on VDI's will be invaluable.
Although many people that have been in the industry for a while will
probably say they have come across this scenario a handful of times in their
career, the answer would be very different in a few years.

Source: PacketSniffers.com

While researching VDI’s, I plan on using Citrix as my main
client. My setup will involve a server using
Citrix’s XenServer as the hypervisor, Citrix XenCenter controlling the
hypervisor, a Windows Server 2008 R2 domain controller primarily for DHCP, and
multiple Windows virtual machines. Windows
virtual machines are arguably the most common thin-client that will be seen in
the work place. I plan on examining what
is capable of being obtained from both persistent and non-persistent VDI’s by
creating a base scenario/template that will have multiple users accessing different,
commonly found, artifacts. Ideally, if
my time before the project is due permits, I would like to explore into what
information can be found on the XenServer itself, what may be obtainable
through the Windows Server, and what potential information may be available
through either XenCenter.

Source: support.citrix.com

The project outline involves the initial setup, which may take
some time, creating the template scenario, working with both persistent and non-persistent
machines, and ultimately attempting forensics on these machines.

There is a lot of appeal in the project to me. First and foremost, there is not much
research that has been done on the topic to date. This is something that could easily take
months to do and could continue, looking for various artifacts and attempting
different ways to capture the information.
My hope is that I can at least, if nothing else, come to the conclusion
that information “A-G” is available on a persistent VDI, maybe no information,
or “A-C” is available on a non-persistent, and “A-Z” is available when the VDI
as well as the hypervisor and domain controller are all obtainable. To be able to have the initial research done
will help in many future endeavors as the technology becomes much more
prevalent and more investigators are coming across virtual desktops
environments. I’m excited to start
digging into it, make sure to check back over the next 10 weeks to see my
progress!

Source: ehowcdn.com

Please feel free to leave any comments as well and any insight
on where you think this should go!